CVE-2020-13940

CWE-611XML External Entity (XXE)5 documents5 sources
Severity
5.5MEDIUM
EPSS
1.0%
top 23.52%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Apache Nifi
Timeline
PublishedOct 1
Latest updateJan 6

Description

In Apache NiFi 1.0.0 to 1.11.4, the notification service manager and various policy authorizer and user group provider objects allowed trusted administrators to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE).

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

Mavenorg.apache.nifi:nifi1.0.01.12.0-RC1
NVDapache/nifi1.0.01.11.4
CVEListV5apache_nifiApache NiFi 1.0.0 to 1.11.4

🔴Vulnerability Details

3
GHSA
Improper Restriction of XML External Entity Reference in Apache NiFi2022-01-06
OSV
Improper Restriction of XML External Entity Reference in Apache NiFi2022-01-06
CVEList
CVE-2020-13940: In Apache NiFi 12020-10-01

📋Vendor Advisories

1
Apache
Apache nifi: CVE-2020-13940
CVE-2020-13940 (MEDIUM CVSS 5.5) | In Apache NiFi 1.0.0 to 1.11.4 | cvebase.io